Personal data in the pandemic
Rafael Amador Espinosa
In Mexico, the Ministry of Health recently published a notice in the Official Gazette of the Federation (“DOF”) declaring as a “health emergency due to force majeure, the epidemic of disease caused by the SARS-CoV2 virus (COVID-19)” which the World Health Organization has already classified as a Pandemic.
This has had several legal effects, including some related to the processing of personal data, as we must remember that our current and future health status is considered sensitive personal data. The Federal Law on the Protection of Personal Data in Possession of Individuals (the “Law”) provides that it is always necessary to obtain the express written consent of its holder in order to process it, and that no database containing sensitive personal data may be created without proper justification.
The use of sensitive personal data might be done without the consent of the holder, when it is indispensable for medical care or treatment, as long as the holder is not able to provide consent, but this can only be done by persons subject to professional secrecy.
Article 4 of the Law expressly states that one of the limits to the principles and rights of the Law, among others, is public health and security and therefore some questions arise, such as the following:
Can the declaration of an emergency be considered an exception to the principles and rights of the Law?
In our opinion such is not an exception to continue to observe the principles and rights contained in the Law regarding the processing of personal data.
However, in cases that tend to maintain public safety and health, it is necessary to recognize that, for example, the principle of consent, or the rights of cancellation and opposition, are limited when facing a state of emergency declared by the Government of Mexico. But some others legal concepts should prevail, such as the principle of legality, purpose, quality, proportionality and responsibility, as well as the rights of access and rectification.
In accordance with articles 136 and 138 of the General Health Law, in cases of any disease presented in the form of an epidemic, the chiefs or heads of laboratories, directors of medical units, schools, factories, workshops, asylums, heads of offices, commercial establishments or of any other nature and, in general, any person who, due to ordinary or accidental circumstances, becomes aware of any of these cases, must immediately notify the Ministry of Health or the nearest health authority.
Therefore, to use sensitive personal data regarding the health status of a person when he or she is infected or possibly infected with the SARS-COVID-19 virus, his or her consent is not required to notify health authorities, as this is an obligation provided for in the General Health Law in addition to this being considered an emergency situation.
All other information considered as personal data and sensitive personal data must be protected by all the principles and rights established in the Law. As a matter of fact, the National Institute of Transparency, Access to Information and Protection of Personal Data (“INAI”) in the “Notice through which various measures are approved to guarantee the rights of protection of personal data and access to information, in the face of the contingency situation generated by the so-called COVID-19 virus”, published in the DOF on March 27th, 2020, instructed, as part of their proactive transparency activities, to establish channels of communication with the various regulated subjects in the health sector, in order to guarantee the proper processing of the personal data of all those who may be affected by the COVID-19 virus pandemic.
These provisions have been common internationally. In the case of Canada it has been pointed out that “During a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing”.
May the persons responsible for data collection and management ask their employees or visitors to report their health status (any symptoms of Covid-19) as a pandemic mitigation measure? May they ask for travel records of their employees or visitors?
In accordance with the Law, the data collected by personal data controllers must be done in a responsible and proportionate manner and, in case of personal data considered sensitive, they must do it under the principle of express consent. As a recommendation, the privacy notice should be drafted with particular characteristics in case persons responsible for collecting this type of information in accordance with the principle of legality and information.
On its part, INAI has enabled a microsite due to the pandemic, where it answers the following question “On the occasion of COVID-19, can you request additional health information to that which your employees provide you” stating: “Preferably, it is recommended that the employer encourages employees to voluntarily report their symptoms or recent trips to places of risk to which they have travelled, personally, to the occupational physician, and not through extensive forms about their health status or frequent destinations, as this is disproportionate. The personal health data requested from employees should be the minimum necessary to ensure that measures are taken for the safety of the workplace and that all information collected is treated with appropriate safety guarantees.”
Is it valid to take the temperature of people through devices at the entrance of your facilities or through thermographic cameras?
In principle, this type of information is directly related to the health status of a person, we must not lose sight of the fact that it is also personal data considered sensitive, therefore, the same principles that we have commented on the express consent are applicable.
However, as this is an aspect related to public health and safety, it is considered a limit to the principle of consent, and the General Health Council has recommended this to be done with the aim of preventing contagion.
In France, for instance, taking the temperature of employees or visitors is not allowed at work, but companies are invited to inform health authorities about people with symptoms, and they emphasize the obligation of employees to disclose the symptoms in accordance with the French labour code.
Should the persons responsible for data collection and management give notice of these measures?
It is advisable that the necessary revisions and, if necessary, adjustments are made to the privacy notices of those responsible, so that the data is collected in a legitimate, controlled and informed manner.
For example, if the responsible uses thermographic cameras to measure the temperature of his employees or visitors, it is advisable to give notice to the owners of the data, through their privacy notice or special signage.
May the persons responsible for data collection and management transfer this information to third parties, whether they are health institutions or not?
Persons responsible for data collection and management must always adhere to the provisions of their privacy notice, as well as to the principles set forth in the Law and its regulations. When referring to information considered as sensitive personal data, the transmission must adhere to the principles of express written consent.
However, an exception for the transmission of personal data is that there is an obligation established by law, in this case the obligation to notify the Ministry of Health or the nearest health authority. This transmission of personal data should only be made to health authorities and not to any other third party.
Likewise, after notification it is recommended that such information is passed through a process of dissociation to avoid the owner being subject to discrimination. The transfer to third parties, other than health authorities, is not allowed as an exception, and should rather be made in accordance with the provisions of the Law and the applicable privacy notice.
For example, in Peru, disclosing the health status without the owner’s consent might be fined with between 21,500 and 215,000 soles. In Mexico the fine is between MXN$49,288.00 and MXN$78,860,800.00.
May public institutions or organizations use personal data related to people’s health?
Public institutions may only use personal data in accordance with the General Law on the Protection of Personal Data in the Possession of Compelled Subjects and the General Law on Transparency and Access to Public Information.
In particular, they may use the personal data of the owners, even without their consent, when an emergency situation exists that might potentially harm an individual or when the personal data is necessary to carry out treatment for prevention, diagnosis, or the provision of health care.
In Argentina, the National Ministry of Health and the provincial ministries may use health information without the consent of the data subjects, in accordance with their legislation.
Do companies with home-office employees have to take additional measures for the protection of personal data?
Since a considerable amount of information will be treated outside the source of work, it is advisable for employees to be aware of and sensitized about the care and confidentiality they must keep regarding personal data, and maintain the same standards of protection established in the privacy notice of the responsible at all times.
Likewise, it is advisable to use the electronic means provided by the company, through reliable applications and systems, as well as the use of security measures, for the protection of the information.
* * *
In conclusion, our recommendation is that those responsible for personal data should revisit their privacy notices and, if necessary, modify them to comply with the principles of the Law and the current measures taken before the pandemic.
It is important for everyone to share responsibility to prevent the spread of the COVID-19 virus, always taking into account the recommendations of the health authorities, particularly those established in the Agreement that determines the essential activities that may continue to operate in the period from 30 March to 30 April 2020. You can consult our article regarding this publication here.
Should you have any questions or concerns regarding the above, or require advice over any other specific subject, please do not hesitate to reach out to us.
Rafael Amador Espinosa
ramador@rrs.com.mx
